Privacy Policy

How Kaadxpay collects, uses, shares and protects personal data submitted through www.kaadxpay.com — under Malaysia's Personal Data Protection Act 2010 and FATF AML/CFT data requirements.

Effective: 2026-05-17Version: v1.0compliance@kaadxpay.com

Notice — pre-licensure v1.0

This is the v1.0 pre-licensure release of this document. It reflects Kaadxpay's currently implemented operating practice. Final text will be reviewed and signed off by our legal counsel after LFSA issues the final PSO licence and the new effective date will be posted here. For questions on any clause, or to request a formal copy ahead of finalisation, please use the email below — we respond within one business day.

01Who we are

Kaadxpay Financial Solutions Pty. Ltd. ("Kaadxpay", "we", "us", "our") is a company incorporated in the Federal Territory of Labuan, Malaysia, holding an Approval-in-Principle from the Labuan Financial Services Authority for a Payment System Operator licence. This Privacy Policy explains how we collect, use, share and protect personal data submitted through our website at www.kaadxpay.com (the "Site").

For data processed inside our merchant portal, payment APIs or compliance systems, see the separate Customer Privacy Notice that you accept upon onboarding. This document covers the public marketing site only.

Data controller

For the purposes of this Site, the data controller is Kaadxpay Financial Solutions Pty. Ltd., Lot A, Level 12, Main Office Tower, Financial Park Labuan, 87000 Labuan F.T., Malaysia. Our Data Protection Officer can be reached at compliance@kaadxpay.com.

02What personal data we collect

We only collect personal data that you knowingly provide or that is automatically generated when you interact with the Site. We do not buy mailing lists or scrape personal data from third-party sources.

Category	What we collect	Source
Contact form	Name, email, company, topic, message body, IP address, user-agent.	Provided by you
Merchant application	Business name, registration number, country, business model, monthly volume estimate, contact name and email, optional notes.	Provided by you
Channel-partner application	Organisation name, website, ASEAN corridors covered, partnership type, contact name and email.	Provided by you
Newsletter subscription	Email address, preferred locale, source page where you subscribed.	Provided by you
Server logs	IP address, request timestamp, HTTP path and method, user-agent, response status. Retained for security monitoring and abuse prevention.	Automatic
Analytics	Pseudonymised page-view events, country (city-level off), referrer, screen size, language. Collected only after you accept the analytics cookie banner.	Automatic, consent-gated
Cookies	Strictly-necessary cookies (locale preference, consent state) and, with your consent, analytics cookies. See the Cookie Policy for the complete list.	Automatic / consent-gated

We do not collect special categories of personal data (e.g. health, biometric, racial, political, religious or sexual-orientation data) through this Site. If you accidentally submit such data inside a free-text field, please notify us so we can delete it.

03Why we use it (lawful basis)

Under the Personal Data Protection Act 2010 (Malaysia) ("PDPA") and, where applicable, the EU/UK General Data Protection Regulation, we rely on the following lawful bases:

Consent — for newsletter subscription and analytics cookies. You can withdraw consent at any time via the cookie preference link in our footer or by emailing the address above.
Contract / pre-contractual steps — for application forms (merchant onboarding, channel partnership) where you ask us to evaluate a potential commercial relationship.
Legitimate interests — security monitoring (server logs), fraud prevention, rate-limiting, anti-spam (honeypot fields), and ensuring the Site functions correctly. We balance these interests against your privacy rights.
Legal obligation — record-keeping requirements under LFSA prudential rules, Malaysia tax law, and AML/CFT obligations under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001.

We never use the personal data submitted via this Site for automated decision-making with legal effects, behavioural advertising, or sale to third parties.

04Who we share data with (subprocessors)

We share data with carefully selected service providers strictly to operate the Site. Each subprocessor is bound by a written contract with confidentiality, security and data-processing terms.

Subprocessor	Purpose	Data location
Tencent Cloud	Hosting infrastructure (CVM compute + container runtime) for the Site.	Singapore region
Caddy / Let's Encrypt	Reverse proxy and TLS certificate issuance.	On our infrastructure
Zoho Mail	Outbound transactional email for form submissions and newsletter notifications.	United States / India
Google Analytics 4	Aggregate site analytics (consent-gated; IP truncation enabled).	United States / EU
Google Search Console / Bing Webmaster	Search-engine indexation diagnostics. No personal data of visitors is shared.	United States

We may also disclose data when required by law, by an order of a court or regulator of competent jurisdiction, or where strictly necessary to defend Kaadxpay's legal rights. In every such case the disclosure is documented and reviewed by our compliance team.

05International transfers

Some of our subprocessors process data outside Malaysia. Where personal data is transferred to a country that does not have a data-protection law judged equivalent to PDPA, we rely on Section 129 PDPA exceptions or equivalent contractual safeguards (Standard Contractual Clauses for EU/UK transfers).

06How long we keep your data

Contact-form submissions: 24 months from last interaction, then deleted from inbox. Spam-flagged messages purged within 30 days.
Merchant / channel applications: kept for the lifetime of the prospect relationship plus 5 years (LFSA prudential record-keeping). Withdrawn applications deleted on request.
Newsletter list: until you unsubscribe (one click in every email). Unsubscribe records retained 12 months for compliance.
Server logs: 90 days, then automatic deletion.
Analytics events: 26 months (GA4 default).
Cookies: see the Cookie Policy for the per-cookie expiry table.

07Your rights

Subject to PDPA Section 30–37 (and equivalent provisions in other jurisdictions), you have the right to:

Access — receive a copy of the personal data we hold about you.
Rectification — correct inaccurate or outdated data.
Erasure — request deletion when the lawful basis no longer applies.
Restriction — limit how we process your data while a complaint is investigated.
Withdrawal of consent — for newsletter or analytics cookies, at any time.
Lodge a complaint — with the Personal Data Protection Department of Malaysia (https://www.pdp.gov.my) or, for EU residents, your local supervisory authority.

To exercise any of these rights, email compliance@kaadxpay.com. We respond within 21 calendar days (PDPA statutory limit) and never charge a fee for the first request in a 12-month period.

08How we protect data

TLS 1.2+ encryption in transit on all Site endpoints (Let's Encrypt certificates, auto-renewed by Caddy).
Server-side input validation, rate-limiting and honeypot anti-bot on every form endpoint.
Subprocessor access only via short-lived application credentials; no shared logins.
Annual penetration test scheduled prior to LFSA verification visit.
Incident response procedure with 72-hour breach-notification target consistent with GDPR Art. 33 and PDPA personal-data-breach guidance.

09Children's data

The Site is intended for business users and is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data through the Site, please contact us immediately and we will delete it.

10Changes to this policy

We may update this Privacy Policy as we extend the Site, change subprocessors, or in response to regulatory developments. Material changes will be highlighted in a banner at the top of this page for at least 30 days; the version number and effective date above are updated on every release.

A version history of this policy is maintained internally and provided on request to compliance@kaadxpay.com.